AI Center

2020.10

false

Release Notes
Requirements
- Hardware and software requirements
- AI Fabric architecture
Installation
Getting Started
- About AI Fabric
- Using AI Fabric
Projects
- About Projects
- Managing Projects
Datasets
- About Datasets
- Managing Datasets
ML Packages
Pipelines
ML Skills
- About ML Skills
- Managing ML Skills
ML Logs
- About ML Logs
Document Understanding in AI Fabric
- Data Manager
- OCR Services
Basic Troubleshooting Guide
- General AI Center Troubleshooting and FAQs

AI Center

Last updated Mar 11, 2024

1. Provision an Azure AKS Cluster

This section details the steps that need to be taken when provisioning a AKS cluster to run AI Fabric in a Highly Available, multi-node configuration.

Note:

AI Fabric installation is currently supported on a fresh, dedicated AKS cluster. A shared cluster with unknown polices/restriction may need additional workaround and is not officially supported.
If your AI Fabric usage is very high & Horizontal scaling is required to support wide variety of AI/ML use cases at your org
You need an highly available solution deployed across multiple zones
Require Multiple Replicas for both Core & ML Services for Disaster recovery as well as scaling purpose
Highly Available Kubernetes Cluster Managed by Azure
Highly Available Container Registry Managed by Azure
Highly Available Cloud Storage managed by Azure
Horizontal Pod Autoscaler i.e Scale no of pods for core services based on workload
Kubernetes Cluster Autoscaler i.e increase the no of nodes in the AKS cluster based on demand automatically for both CPU & GPU Node Pools
Taints for GPU to ensure GPU resources are used for desired purpose
Certificates are provisioned & managed through Cert Manager

Prerequisites

AKS Cluster with minimum two node-pools. At least one node-pool with GPU type nodes and proper taints.
Azure Container Registry in the same RG as of the Cluster
One storage account in the same RG as of the Cluster
One application Insights instance in the same RG as of the Cluster
SQL Server with databases created

Installation steps overview

This section provides a high level overview of the steps, the next two sections break this process down in detail.

User creates AKS Cluster, Azure Container Registry, 1 storage account, 1 application-insights instance.
Oneinstaller will take following things as input :
```
AKS Cluster name
AKS Cluster Resource Group
AKS Worker Resource Group
ACR Endpoint
ACR Name (Username)
ACR Password
Storage Account Name
Storage Account Key
Application Insights Key
Flag to indicate whether to expose kotsadm service or not
DNS Prefix Name for aifabricAKS Cluster name
AKS Cluster Resource Group
AKS Worker Resource Group
ACR Endpoint
ACR Name (Username)
ACR Password
Storage Account Name
Storage Account Key
Application Insights Key
Flag to indicate whether to expose kotsadm service or not
DNS Prefix Name for aifabric
```
Then customer logs in to shell.azure.com, sets the correct subscription ID - using "az account set --subscription"
Shell should have kubectl installed already.
Then copy the one-installer bundle to the shell, unzip it and run bash setup.sh, above values can either be passed via command line or if it is not passed in command line, our installer will again ask for them.
Enter "azure" in platform input. And everything else will be provisioned after this.

Components to be installed by One-Installer

Kotsadmin and kots application in aifabric namespace
Istio installation in istio-system namespace
Create containers in the storage account provided by them (equivalent of buckets)
Apply CORS policy on the storage account
Assign the provided dns prefix to the Public IP of the istio gateway
Install Cert Manager in cert-manager namespace
Install Velero (in velero namespace), create a backup and schedule regular backups.

Detailed infra setup

Creating an AKS Cluster

Skip this step if you already have AKS cluster installed. Kubernetes version should be 1.16, 1.17 or 1.18. Other versions are not supported currently.

Create a resource group in Azure, you should have Owner role at the resource group level.
Search Kubernetes Services in portal and create a new instance of AKS.
Select the resource group you created in step #1a and give a suitable cluster name of your choice.
Make sure your Kubernetes version is 1.16, 1.17 or 1.18.
Select Node Size for worker nodes, (Min recommended size Standard_D2_v3 with 3 Nodes)
Under Authentication Tab -
- Authentication Methods, select “System-assigned managed identity”
Under Networking Tab -
- Select “Network Configuration“ as “Azure CNI“
- Select “Network Policy“ as Azure
- Keep other fields same.
Under Integrations Tab -
- If you have a container registry in the same resource group select that, this will be used to push docker images built at run time.
- Or select Create New > Give a suitable registry name > Select “Admin User“ as Enable
Under Tags Tab, give suitable tags as required.
Click on “Review + Create“ and create the cluster.

Create Node Pools

AI Center needs min 2 NodePools to be created in your cluster, 1 gets created when you created the Cluster, you will have to create another one as well. 1 of these node pools is expected to be of nodes with GPUs attached. We identify if such node pool exists or not by using the Taints on the node pool.

We check for this taint nvidia.com/gpu=present:NoSchedule

To create a NodePool with this taint, you can use below command (sample)

az aks nodepool add --name gpunodepool \)\)
      --enable-cluster-autoscaler \)\)
      --resource-group ${RESOURCEGROUP} \)\)
      --cluster-name ${AKSCLUSTERNAME} \)\)
      --node-vm-size Standard_NC6 \)\)
      --node-taints nvidia.com/gpu=present:NoSchedule \)\)
      --labels accelerator=nvidia \)\)
      --node-count 0 \)\)
      --min-count 0 \)\)
      --max-count 3az aks nodepool add --name gpunodepool \)\)
      --enable-cluster-autoscaler \)\)
      --resource-group ${RESOURCEGROUP} \)\)
      --cluster-name ${AKSCLUSTERNAME} \)\)
      --node-vm-size Standard_NC6 \)\)
      --node-taints nvidia.com/gpu=present:NoSchedule \)\)
      --labels accelerator=nvidia \)\)
      --node-count 0 \)\)
      --min-count 0 \)\)
      --max-count 3

--node-vm-size you can change based on the type of node you want to use for GPU. Check here for supported GPU VM sizes in Azure.

Create a Storage Account

Create a storage account in the same resource group where your cluster is deployed. We will be using this storage account to create containers to store the AIFabric related files

Search storage accounts in the portal
Create new storage account.
Select the above resource group
Give a suitable name to the storage account
Keep rest of the settings default. Add tags and create the account.

Create Application Insights Instance

Create 1 application insights instance in the same RG where AIFabric will be publishing its logs

Search “Application Insights“ in the portal
Create New Instance
Select above Resource group
Give a suitable name to the instance
In Resource Mode, select Classic
Add tags and Create.

AI Fabric installation steps

If your AKS Cluster is private, there will be additional steps detailed here.

Open Shell

Once above infra is setup, open shell.azure.com and set the current subscription to the one where your RG is present, using following command -

az account set --subscription <subscription-id>
az extension add --name application-insightsaz account set --subscription <subscription-id>
az extension add --name application-insights

Download the installer

First step is to download installer zip file here and move it to AI Center server. Alternatively, you can download it directly from the machine using following command

wget https://download.uipath.com/aifabric/online-installer/v2020.10.2/aifabric-installer-v20.10.2.tar.gzwget https://download.uipath.com/aifabric/online-installer/v2020.10.2/aifabric-installer-v20.10.2.tar.gz

Then untar the file and go inside main folder using following command:

tar -xvf aifabric-installer-v20.10.2.tar.gz
cd ./aifabric-installer-v20.10.2tar -xvf aifabric-installer-v20.10.2.tar.gz
cd ./aifabric-installer-v20.10.2

Run Setup

Then run setup.sh using following command

bash setup.sh --resourceGroup <YOUR RESOURCE GROUP> --clusterName <YOUR CLUSTER NAME> --exposeKots n --acrHost <YOUR CONTAINER REGISTRY> --acrUser <YOUR CR USERNAME> --acrKey <YOUR CR KEY> --workerResourcegroup <YOUR WORKER RG> --dnsPrefix aicapp --storageAccountName <YOUR STORAGE ACCOUNT> --storageAccountAccessKey <YOUR STORAGE ACCOUNT ACCESS KEY> --appInsightsKey <YOUR ACCESS KEY> --platform azure --email <YOUR EMAIL>bash setup.sh --resourceGroup <YOUR RESOURCE GROUP> --clusterName <YOUR CLUSTER NAME> --exposeKots n --acrHost <YOUR CONTAINER REGISTRY> --acrUser <YOUR CR USERNAME> --acrKey <YOUR CR KEY> --workerResourcegroup <YOUR WORKER RG> --dnsPrefix aicapp --storageAccountName <YOUR STORAGE ACCOUNT> --storageAccountAccessKey <YOUR STORAGE ACCOUNT ACCESS KEY> --appInsightsKey <YOUR ACCESS KEY> --platform azure --email <YOUR EMAIL>

Please replace corresponding values according to your setup, as explained below.

The parameters in the above command are as below (if they are not passed in the command, installer will again ask for them) -

platform → azure

resourceGroup → Resource group where we created the cluster and other resources

workerResourcegroup → AKS creates another resource group along with your cluster to maintain the cluster workload, please give that name. Search with your original resource group name in the portal and you will get the other RG name as well, usually this name will be similar to MC_<rg-name><cluster-name><region>

clusterName → AKS Cluster Name

exposeKots → Whether to expose Kotsadmin over internet or not. (y/n)

acrHost → Go to the container registry that was selected in AKS, and get the server name as below

acrUser → This is the registry name that was created.

acrKey → Go to the Access Keys on the ACR page and give any one of the passwords from there

dnsPrefix → DNS Prefix to be used for AIFabric ingress, (like aifabric, aim-app, anything you want)

storageAccountName → Storage account name that was created in the same resource group in step #3

storageAccountAccessKey → go to the storage account page → Access Keys. Click on “Show Keys” and copy any one of the Key from key1 or key2 and pass it.

appInsightsKey → Application insights key for the one that was created. (Instrumentation Key from below screenshot)

email → Email id to be used to notify about certificate expiration details

Important:

The installation might fail with the application insights not found error for the first time, re-run should pass, or you can install the az extension using this command and re-run the installation

az extension add --name application-insights

AKS private cluster

If your AKS Cluster is private, there are some differences to the installation process above.

Create 1 Ubuntu VM in the same network as that of the aks cluster
Install kubectl, az, helm and jq command line tools there.
There will be an azure client with the same name as your AKS Cluster, go to ask cluster’s vnet and under access policies add this client as Contributor (This is required for private load balancer creation)

az login
az account set --subscription <subscription-id>az login
az account set --subscription <subscription-id>

In bash setup.sh command you will have to pass another parameter, --isPrivate y
Istio and KotsAdmin will be exposed over private load balancer IP addresses.
Expose_kots flag will be ignored in this case and kotsadmin service will be assigned one internal load-balancer
As private IP addresses cannot have public DNS names, we create a self signed cert for Istio.
On Kotsadmin page, Ingress Host will be the Istio private IP from the oneinstaller output. You can check that any time by running and getting the External IP address -
```
kubectl -n istio-system get svc istio-ingressgatewaykubectl -n istio-system get svc istio-ingressgateway
```
You will be able to use AIFabric at https://<istio-private-ip>/ai-app from the private network wherever AKS VNET is accessible.
If you want to expose this to the internet, you will have to redirect the traffic from public facing gateway to this internal IP on 443 port.

Create a public facing gateway
Configure the gateway to send the traffic from 443 port to <istio-private-ip>:443
Use the gateway’s public IP or a DNS entry pointing to this gateway as Ingress Host in the Kotsadmin
Gateway configuration requires TLS certs details to connect to the backend server, if you want to update your own certs for AIFabric, you can upload them from kotsadmin -
Also if you gateway requires health check, you can use /ai-deployer/actuator/health URL.

Detailed explanation on setting up Azure Gateway

Create an Azure Application gateway instance linked to the same vnet as of AKS or some vnet which is peered with the AKS vnet
Create a backend pools entry with the Istio loadbalancer private IP
Create https settings entry with port 443, If you are going to use self signed certs, follow the documentation https://docs.microsoft.com/en-us/azure/application-gateway/self-signed-certificates to create self signed CA and server certificates (while generating server cert, under common name field enter the Istio LB), also under host name setting, select “Override with specific domain name“ and put the ip of Istio LB
Upload the CA certificate in the Trusted Root Certificate field.
Upload the server certificates created above in the kotsadmin, use the public IP of the gateway and trigger a deployment from kotsadmin.
Generate a pfx file from the server cert and key created above, like -openssl pkcs12 -export -out contoso.pfx -inkey fabrikam.key -in fabrikam.crt.
Create a listener entry in the gateway with 443 port and upload this pfx file there.
Create a Rule in gateway, selecting the above listener, http setting and backend target.
Create a health probe entry with https, put the host as IP address of the Istio loadbalancer. Put this /ai-deployer/actuator/health as path and select the above http setting created in step 3.

Infrastructure provisioning

Requirement	Note
Azure Resource Group with Owner Access
Ensure you have sufficient vCPUs available in the region where you have created your Resource Group	Minimum number of vCPUs available should be 16. Run this command to check what is available to you in the region that hosts your Resource Group: `az vm list-skus --location westeurope --output table \| grep virtualMachines`.
Ensure you have the appropriate machine types available in the region where you have created your Resource Group	By default, these machines are `Standard_D8s_v3 & Standard_NC6`. Run this command to check what is available to you in the region that hosts your Resource Group:`az vm list-skus --location westeurope --output table \| grep virtualMachines`.
Ensure you add Mandatory Tags	Please confirm you know if there are mandatory tags that are required for tagging the resources at the time of provisioning under your company's Azure subscription.

Download Infrastructure Provisioning Script

Download aks-arm.zip folder from UiPath ai-customer-scripts repo i.e from this location, https://github.com/UiPath/ai-customer-scripts/blob/master/platform/aks/aks-arm.zip

Requirements before proceeding

Requirement	Note
Working Orchestrator 20.10 Installation	Reference here
SQL Server 2008 R2 or above	Reference here
SQL Server Authentication must be enabled	Contact your SQL Server admin.
SQL Credentials that allow for database and role creation.	Contact your SQL Server admin.
Have a compatible browser	Reference
Boot Disk needs to be at least 200GB	Reference here
On worker nodes, secondary Disk(s) of at least 500GB in aggregate need to be unformatted	Reference here
Connect to Orchestrator from AI Fabric Master Node. Must be able to connect via domain name.	`telnet <Orchestrator-Domain-Name> <port>` from the AI Fabric UCP node must work.
Connect to Database from AI Fabric Master node.	`telnet <SQL-Server-IP> <port>` from the AI Fabric UCP node must work.
Connect from Robot/Studio machines to AI Fabric Master node.	`telnet <UCP-Host-IP> 33443` and `telnet <UCP-Host-IP> 33390` from robot/studio machines must work. That is, robot/studio machine will be clients to the server on port 33443 and 33390.
Connect to Endpoints needed by installer from AI Fabric machine.	AIFabric machine must not have blocked outbound access to the endpoints
Domain Certificate (for AI Fabric machine) from a trusted CA authority.	Reference here
AI Fabric license file.	Reference here